Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
United Kingdom IT

UK Becomes First Country To Ban Default Bad Passwords on IoT Devices 39

The United Kingdom has become the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. From a report: The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they're connected to. In one often-cited case described by cybersecurity company Darktrace, hackers were allegedly able to steal data from a casino's otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank. Under the PSTI, weak or easily guessable default passwords such as "admin" or "12345" are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.
This discussion has been archived. No new comments can be posted.

UK Becomes First Country To Ban Default Bad Passwords on IoT Devices

Comments Filter:
  • by GregMmm ( 5115215 ) on Monday April 29, 2024 @09:13AM (#64432656)

    Yes I get IoT items are targets and going to be targets because updates will stop. But the example is terrible. A casino? With an IT staff? Well here's one for you, don't connect your fish tank temperature sensor to your productions network or as you call it their "well-protected computer network". Put it on an isolated network, or guest or anything else.

    • by Junta ( 36770 )

      Also, don't treat any network as "inherently trusted".

    • by AmiMoJo ( 196126 ) on Monday April 29, 2024 @09:26AM (#64432696) Homepage Journal

      It's more aimed at consumers who plug their ISP supplied router in and never change any settings. Some years back one big ISP's routers used a default WiFi password that was just the wireless MAC address trivially transformed (XOR if I remember). Since the MAC address also identifies the manufacturer, it was pretty easy to find easily exploitable networks and use their broadband for nefarious purposes.

      • It's more aimed at consumers who plug their ISP supplied router in and never change any settings. Some years back one big ISP's routers used a default WiFi password that was just the wireless MAC address trivially transformed (XOR if I remember). Since the MAC address also identifies the manufacturer, it was pretty easy to find easily exploitable networks and use their broadband for nefarious purposes.

        The summary points to the real problem when it says "Unique passwords installed by default are still permitted". A necessary-but-not-sufficient practice would require ANY net-connected device to force the entry of a fresh password of specified complexity before the equipment is allowed network access.

        If doing that requires extra hardware - say, a USB or CAT5 port to connect to a computer or tablet to provide an interface for entering that initial password - then so be it. Good security is necessarily inconv

  • Gonna have to ban all that copy paste shit coming from china.
    • Re:Yeah how (Score:5, Interesting)

      by TWX ( 665546 ) on Monday April 29, 2024 @09:34AM (#64432718)

      My guess is that manufacturers will just add an initial-setup subroutine that won't allow setup to proceed until the default password is changed by the person doing the work.

      One issue with requiring each and every bit of hardware to have a unique password will be more e-waste if these devices are less useful on the secondary market. A common technique to work with old hardware is to perform a factory reset on the bench before reconfiguring it for one's own purposes.

      Then again, since most devices, even cheap devices, have their MAC addresses printed on them, it wouldn't be all that difficult to populate the same table used for that with the factory unique password in the printing system, and to then include that unique password on the label. It would still be a good idea to force the user to change the password, but if they don't then it would at least require someone to have gained physical access to the device in order to get that password. I suppose a dictionary attack could be used if the vendor password list leaked to the Internet as well, but that's a whole new level of failure.

      • Re: (Score:3, Insightful)

        by Luckyo ( 1726890 )

        A lot of routers already have a unique password printed on them when you buy them. So it makes sense if your IoT thing just has a unique default password printed on a sticker/lasered on. Or at least on the box.

      • manufacturers will just add an initial-setup subroutine that won't allow setup to proceed until the default password is changed.

        That's the better method. The method of embedding a unique password in the ROM at the factory (like Netgear) is certainly problematic. But also every single ISP router. Because they all rely on a sticker not getting damaged or degraded over time. I get that they aren't handled like laptops (whose underside stickers often end up completely illegible).

        • by TWX ( 665546 )

          At least on laptops I've bought since 2016, there's been a metal flap on the underside that the sticker is behind. The flap could theoretically be torn off I suppose, but it's held with a magnet and is recessed enough to make that reasonably unlikely.

      • by Zocalo ( 252965 )
        They'll probably just use the MAC for the initial password because, as you say, the device has almost certainly already got a printed label with it on and it doesn't involve any special characters, so no change to the manufacturing process at all - just a bit of code and a documentation update. Equally, a hardware reset would simply reset the password to the MAC as well as wipe any config info, so no issues with generating extra e-waste, unless the device with shit to start with (we are talking IoT afteral
      • QNAP NAS devices default to user admin, with the password being the MAC without any colons. This does work well enough, and for the most part, one never uses this in any process unless they hit the reset button because they got locked out of their appliance, as the QNAP setup process disables the admin account by default and prompts for a username/password on initial install.

        What would be close to ideal for more complex devices is an e-ink display. On initial setup, it would display a simple, easy to read

        • by TWX ( 665546 )

          This makes me wonder about having a new form factor for a serial cable. Something like the RJ11 serial cable Cisco routers use, or maybe using RS232 over USB-C. This way, someone can configure a security sensitive device on a wire or using a cable before it ever sees the network.

          What you're talking about is YOST.

          https://yost.com/computers/RJ4... [yost.com]

          The problem with it isn't the signaling at the port, it's getting the serial part to work on the host PC or other device being used. Almost nothing has RS-232 DE-9 port anymore, and even USB-A is becoming less common. Plus the FTDI scandal with cloned chips and nonfunctional drivers is another major problem.

  • by El Fantasmo ( 1057616 ) on Monday April 29, 2024 @09:19AM (#64432672)

    California passed legislation to ban this in 2018. Does that mean it's basically all devices sold in the U.S., rather than splitting compliance?

    https://techcrunch.com/2018/10... [techcrunch.com]

    • by Junta ( 36770 ) on Monday April 29, 2024 @09:29AM (#64432706)

      One difference is that the California password allow still allows bad default passwords, so long as it enforces 'change on first use', which is a concession to a lot of automation, but if someone *never* uses it, it stays at a bad default value. UK law says it must be unique.

      Another difference is the California law allows the password to be pretty guessable, e.g. derived from a serial number or some incrementing counter. The UK law says that the password must not be guessable/derived from some counter or serial number.

      So one could argue that California did not ban 'bad' default passwords, but just banned the subset of 'well know common default passwords that can be used to do more than change the password'.

      • if someone *never* uses it, it stays at a bad default value. UK law says it must be unique.

        At that point, it's not a "default" password, but just a setup code. It wouldn't be powered on and connected in that state.

        • by Junta ( 36770 )

          Depends on the product.

          Let's say you have a router, that router implements enough to work by default, and the 'setup code' is indeed needed to set it up, but the default operational state was good enough that you didn't actually "set it up". There's a lot of devices that are likely to have a "probably good enough" default operational state that may leave the password/setup code alone so that at some point in the undetermined future an attacker gets to be the one to "claim" the device rather than the reason

          • For example a well known default that is only viable if the device is 'off' and inoperable. Or a time limit from power on after which the setup code becomes inactive (like an hour or something), after which you have to unplug/replug device to get the setup code active again.

            Thinking about how the modems that your ISP rents you work like that. I can factory reset it in an offline mode but as soon as that device hit the network it will be identified and flashed and password changed. A lot of signage players I've worked with operate on that principle, once the device is on your account you assign it a config from your dashboard and even if it's factory reset if it goes online it will find it's been claimed and update itself. The only way to change the password is via the dashb

          • This is a tough area... people need a router to be on the network, but it needs a secure channel for setup, and ideally a channel that can't be hijacked if someone other than the owner connects to the device after it is powered on. Having an e-Ink display that shows a temporary setup code can help, but that does cost money. Using Bluetooth is also a way, but someone else might be able to hijack it before the legit owner can complete pairing. NFC communication between the router and phone to establish a p

            • by Junta ( 36770 )

              If the setup code is truly random sequence of 12 or so ascii characters only available through inspecting the labeling, then I think that could live on a while.

              Problem is that scheme is highly automation hostile, and if applied to something like a fleet of hundreds or thousands of devices, wouldn't be workable. So a device targeting fleet style deployment needs some other strategy. Not sure if the UK law provides some sort of provision that would work for a mass headless deployment.

      • by Bert64 ( 520050 )

        One difference is that the California password allow still allows bad default passwords, so long as it enforces 'change on first use',

        For a lot of devices, the default configuration works sufficiently that noone ever bothers to log in and change anything, or people don't even realise the device is there at all.
        IPMI devices are a good example of this, built in to most modern servers but you don't have to use them - the server will operate perfectly well if you connect a monitor and keyboard instead, so some people do that and have no idea that a default IPMI device is sitting there waiting to be used by someone nefarious.
        Similarly consider

      • If they know your serial number, they probably have physical access and at that point it's probably too late for any kind of password policy to do any good. Not that it's too difficult for a company to comply with not having the initial password based off of a serial number, but any algorithmic scheme to generate passwords makes it somewhat guessable if you know enough about the algorithm.
        • by Junta ( 36770 )

          Well, for serial number, you have some issues:
          -Some devices announce their serial number via some unauthenticated mechanism. There are utilities that list devices from a certain vendor and they'll list details like serial number so you can decide if you should/should not try to set it up.
          -Even if not announced, the serial number makes for a nice dictionary. If I know that the password is XXXXYYYY where X is some alphabetic prefix number and Y is a numeric incrementing by 1, then the password may well be p

  • If only this country had a good working relationship with a Time Lord to go back and make this a requirement starting in 1995. On wait...
  • by bubblyceiling ( 7940768 ) on Monday April 29, 2024 @10:15AM (#64432840)
    Wifi Routers used to be a be a huge security risk due to their weak default passwords. This led to several attacks on unsuspecting users, and was eventually fixed by manufacturers. It is high time that IoT device manufacturers also follow suit
  • Beyond passwords, many IoT widgets are delivered with test code compiled-in that has comments at the top of the source along the lines of "/* DO NOT DELIVER THIS CODE */". I have seen releases where this happened, hackers took advantage, the test code was removed and then a year later reappears in an update. IoT product vendors spend more money on their box design than they do on the contract engineers that deliver the source code for their widget. There is some minimal level of QA that they need to be h
    • by Bert64 ( 520050 )

      The problem stems from vendors wanting to brand the equipment but don't have the expertise to develop their own firmware. You end up with firmware that's made by some chinese OEM and then rebranded by a multitude of third parties. Even assuming the original OEM produces an updated firmware, you then have to wait for the individual reseller to apply their branding and release their branded version of the update. Often this doesn't happen at all and you're stuck with whatever version it rolled out the factory

  • Never would I have thought the UK would get tech legislation right!
  • No idea how they're going to make it happen

  • They got hacked because they have bad network policies. Anything IoT is absolutely untrusted, and must be placed in a segmented VLAN, that has zero access to anything you would rate as: “If it dies, I don't care”, level of importance or higher. If someone was able to jump from a sensor in a fish tank, to anything that could access an important node, the network engineer failed, or, there are some companies who need to be answering questions.

    Even if you wanted to log the data to an analytic e

Let's organize this thing and take all the fun out of it.

Working...